package org.apache.jackrabbit.oak.jcr.security.authorization;

import javax.jcr.AccessDeniedException;
import javax.jcr.Node;
import javax.jcr.NodeIterator;
import javax.jcr.PathNotFoundException;
import javax.jcr.PropertyIterator;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.nodetype.ConstraintViolationException;
import javax.jcr.security.AccessControlList;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.AccessControlPolicyIterator;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.test.NotExecutableException;
import org.apache.jackrabbit.util.Text;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/jcr/security/authorization/AccessControlManagementTest.class */
public class AccessControlManagementTest extends AbstractEvaluationTest {
    @Test
    public void testReadAccessControlContent() throws Exception {
        allow(this.path, privilegesFromName("{http://www.jcp.org/jcr/1.0}readAccessControl"));
        deny(this.path, privilegesFromName("{http://www.jcp.org/jcr/1.0}read"));
        assertTrue(this.testSession.nodeExists(this.path + "/rep:policy"));
        assertTrue(this.testSession.propertyExists(this.path + "/rep:policy/jcr:primaryType"));
        assertFalse(this.testSession.nodeExists(this.path));
        assertFalse(this.testSession.propertyExists(this.path + "/jcr:primaryType"));
    }

    @Test
    public void testAccessControlPrivileges() throws Exception {
        JackrabbitAccessControlList allow = allow(this.path, privilegesFromNames(new String[]{"rep:write", "{http://www.jcp.org/jcr/1.0}readAccessControl", "{http://www.jcp.org/jcr/1.0}modifyAccessControl"}));
        assertTrue(this.testSession.itemExists(allow.getPath() + "/rep:policy"));
        this.testAcMgr.getPolicies(allow.getPath());
        this.testAcMgr.removePolicy(allow.getPath(), allow);
    }

    @Test
    public void testSetNewPolicy() throws Exception {
        allow(this.path, privilegesFromNames(new String[]{"rep:write", "{http://www.jcp.org/jcr/1.0}readAccessControl", "{http://www.jcp.org/jcr/1.0}modifyAccessControl"}));
        AccessControlPolicyIterator applicablePolicies = this.testAcMgr.getApplicablePolicies(this.childNPath);
        while (applicablePolicies.hasNext()) {
            AccessControlPolicy nextAccessControlPolicy = applicablePolicies.nextAccessControlPolicy();
            this.testAcMgr.setPolicy(this.childNPath, nextAccessControlPolicy);
            this.testSession.save();
            this.testAcMgr.removePolicy(this.childNPath, nextAccessControlPolicy);
            this.testSession.save();
        }
    }

    @Test
    public void testSetModifiedPolicy() throws Exception {
        JackrabbitAccessControlList allow = allow(this.path, privilegesFromNames(new String[]{"rep:write", "{http://www.jcp.org/jcr/1.0}readAccessControl", "{http://www.jcp.org/jcr/1.0}modifyAccessControl"}));
        AccessControlList[] policies = this.testAcMgr.getPolicies(this.path);
        assertEquals(1, policies.length);
        assertTrue(policies[0] instanceof AccessControlList);
        if (policies[0].addAccessControlEntry(this.testUser.getPrincipal(), privilegesFromName("{http://www.jcp.org/jcr/1.0}lockManagement"))) {
            this.testAcMgr.setPolicy(this.path, allow);
            this.testSession.save();
        }
    }

    @Test
    public void testRemovePolicyWithoutPrivilege() throws Exception {
        JackrabbitAccessControlList allow = allow(this.path, privilegesFromName("{http://www.jcp.org/jcr/1.0}read"));
        assertFalse(this.testAcMgr.hasPrivileges(this.path, privilegesFromName("{http://www.jcp.org/jcr/1.0}modifyAccessControl")));
        try {
            this.testAcMgr.removePolicy(this.path, allow);
            fail("Test user must not be allowed to remove the access control policy.");
        } catch (AccessDeniedException e) {
        }
    }

    @Test
    public void testRemovePolicy() throws Exception {
        allow(this.path, privilegesFromNames(new String[]{"{http://www.jcp.org/jcr/1.0}read", "{http://www.jcp.org/jcr/1.0}readAccessControl", "{http://www.jcp.org/jcr/1.0}modifyAccessControl"}));
        assertTrue(this.testAcMgr.hasPrivileges(this.path, privilegesFromName("{http://www.jcp.org/jcr/1.0}modifyAccessControl")));
        this.testAcMgr.removePolicy(this.path, this.testAcMgr.getPolicies(this.path)[0]);
        this.testSession.save();
    }

    @Test
    public void testRetrievePrivilegesOnAcNodes() throws Exception {
        Privilege[] privilegesFromName = privilegesFromName("{http://www.jcp.org/jcr/1.0}readAccessControl");
        allow(this.path, privilegesFromName);
        assertTrue(this.testAcMgr.hasPrivileges(this.path, privilegesFromName));
        AccessControlPolicy[] policies = this.testAcMgr.getPolicies(this.path);
        assertEquals(1, policies.length);
        assertTrue(policies[0] instanceof JackrabbitAccessControlList);
        String str = null;
        NodeIterator nodes = this.superuser.getNode(this.path).getNodes();
        while (nodes.hasNext()) {
            Node nextNode = nodes.nextNode();
            if (nextNode.isNodeType("rep:Policy")) {
                str = nextNode.getPath();
            }
        }
        if (str == null) {
            fail("Expected node at " + this.path + " to have an ACL child node.");
        }
        assertTrue(this.testAcMgr.hasPrivileges(str, privilegesFromName));
        assertTrue(this.testSession.hasPermission(str, "read"));
        NodeIterator nodes2 = this.superuser.getNode(str).getNodes();
        while (nodes2.hasNext()) {
            String path = nodes2.nextNode().getPath();
            assertTrue(this.testAcMgr.hasPrivileges(path, privilegesFromName));
            assertTrue(this.testSession.hasPermission(path, "read"));
        }
    }

    @Test
    public void testReadAccessControlWithoutPrivilege() throws Exception {
        JackrabbitAccessControlList allow = allow(this.path, privilegesFromName("{http://www.jcp.org/jcr/1.0}read"));
        String str = allow.getPath() + "/rep:policy";
        assertTrue(this.superuser.itemExists(str));
        assertFalse(this.testAcMgr.hasPrivileges(this.path, privilegesFromName("{http://www.jcp.org/jcr/1.0}readAccessControl")));
        assertFalse(this.testSession.itemExists(str));
        assertFalse(this.testSession.nodeExists(str));
        try {
            this.testSession.getNode(str);
            fail("Accessing the rep:policy node must throw PathNotFoundException.");
        } catch (PathNotFoundException e) {
        }
        try {
            this.testAcMgr.getPolicies(allow.getPath());
            fail("test user must not have READ_AC privilege.");
        } catch (AccessDeniedException e2) {
        }
        try {
            this.testAcMgr.getEffectivePolicies(allow.getPath());
            fail("test user must not have READ_AC privilege.");
        } catch (AccessDeniedException e3) {
        }
        NodeIterator nodes = this.superuser.getNode(str).getNodes();
        while (nodes.hasNext()) {
            Node nextNode = nodes.nextNode();
            assertFalse(this.testSession.nodeExists(nextNode.getPath()));
            PropertyIterator properties = nextNode.getProperties();
            while (properties.hasNext()) {
                assertFalse(this.testSession.propertyExists(properties.nextProperty().getPath()));
            }
        }
    }

    @Test
    public void testReadAccessControl() throws Exception {
        Privilege[] privilegesFromName = privilegesFromName("{http://www.jcp.org/jcr/1.0}readAccessControl");
        allow(this.path, privilegesFromName);
        assertTrue(this.testAcMgr.hasPrivileges(this.path, privilegesFromName));
        assertTrue(this.testSession.nodeExists(this.path + "/rep:policy"));
        this.testAcMgr.getPolicies(this.path);
        assertTrue(this.testAcMgr.hasPrivileges(this.childNPath, privilegesFromName));
        assertEquals(0, this.testAcMgr.getPolicies(this.childNPath).length);
    }

    @Test
    public void testReadAccessControlWithRestriction() throws Exception {
        Privilege[] privilegesFromName = privilegesFromName("{http://www.jcp.org/jcr/1.0}readAccessControl");
        allow(this.path, privilegesFromName, createGlobRestriction("/" + this.nodeName2));
        assertFalse(this.testAcMgr.hasPrivileges(this.path, privilegesFromName));
        assertFalse(this.testSession.nodeExists(this.path + "/rep:policy"));
        try {
            this.testAcMgr.getPolicies(this.path);
            fail("AccessDeniedException expected");
        } catch (AccessDeniedException e) {
        }
        assertTrue(this.testAcMgr.hasPrivileges(this.childNPath, privilegesFromName));
        assertEquals(0, this.testAcMgr.getPolicies(this.childNPath).length);
    }

    @Test
    public void testAclReferingToRemovedPrincipal() throws Exception {
        String path = allow(this.path, this.repWritePrivileges).getPath();
        this.testUser.remove();
        this.superuser.save();
        this.testUser = null;
        Session superuserSession = getHelper().getSuperuserSession();
        try {
            getAccessControlManager(superuserSession).getPolicies(path);
            superuserSession.logout();
        } catch (Throwable th) {
            superuserSession.logout();
            throw th;
        }
    }

    @Test
    public void testAccessControlModificationWithoutPrivilege() throws Exception {
        JackrabbitAccessControlList allow = allow(this.path, privilegesFromNames(new String[]{"{http://www.jcp.org/jcr/1.0}addChildNodes", "{http://www.jcp.org/jcr/1.0}removeChildNodes", "{http://www.jcp.org/jcr/1.0}modifyProperties"}));
        assertTrue(this.superuser.itemExists(allow.getPath() + "/rep:policy"));
        try {
            this.testAcMgr.setPolicy(allow.getPath(), allow);
            fail("test user must not have MODIFY_AC privilege.");
        } catch (AccessDeniedException e) {
        }
        try {
            this.testAcMgr.removePolicy(allow.getPath(), allow);
            fail("test user must not have MODIFY_AC privilege.");
        } catch (AccessDeniedException e2) {
        }
    }

    @Test
    public void testAccessControlModification() throws Exception {
        assertTrue(this.superuser.itemExists(allow(this.path, privilegesFromNames(new String[]{"{http://www.jcp.org/jcr/1.0}readAccessControl", "{http://www.jcp.org/jcr/1.0}modifyAccessControl"})).getPath() + "/rep:policy"));
        assertTrue(this.testAcMgr.hasPrivileges(this.path, privilegesFromName("{http://www.jcp.org/jcr/1.0}modifyAccessControl")));
        AccessControlPolicy[] policies = this.testAcMgr.getPolicies(this.path);
        this.testAcMgr.getPolicies(this.childNPath);
        try {
            this.testAcMgr.getPolicies(this.siblingPath);
            fail("READ_AC privilege must not apply outside of the tree it has applied to.");
        } catch (AccessDeniedException e) {
        }
        assertFalse(this.testAcMgr.hasPrivileges(this.siblingPath, privilegesFromName("{http://www.jcp.org/jcr/1.0}modifyAccessControl")));
        AccessControlList accessControlList = (AccessControlList) policies[0];
        accessControlList.addAccessControlEntry(this.testUser.getPrincipal(), this.repWritePrivileges);
        this.testAcMgr.setPolicy(this.path, accessControlList);
        this.testSession.save();
        assertTrue(this.testAcMgr.hasPrivileges(this.path, privilegesFromName("{http://www.jcp.org/jcr/1.0}removeChildNodes")));
        this.testAcMgr.removePolicy(this.path, policies[0]);
        this.testSession.save();
        try {
            this.testAcMgr.getEffectivePolicies(this.childNPath);
            fail("READ_AC privilege has been revoked -> must throw again.");
        } catch (AccessDeniedException e2) {
        }
        assertReadOnly(this.path);
    }

    @Test
    public void testAcContentIsProtected() throws Exception {
        Node findPolicyNode = findPolicyNode(this.superuser.getRootNode());
        if (findPolicyNode == null) {
            throw new NotExecutableException("no policy node found.");
        }
        assertTrue("The rep:Policy node must be protected", findPolicyNode.getDefinition().isProtected());
        try {
            findPolicyNode.remove();
            fail("rep:Policy node must be protected.");
        } catch (ConstraintViolationException e) {
        }
        NodeIterator nodes = findPolicyNode.getNodes();
        while (nodes.hasNext()) {
            Node nextNode = nodes.nextNode();
            if (nextNode.isNodeType("rep:ACE")) {
                try {
                    nextNode.remove();
                    fail("ACE node must be protected.");
                    break;
                } catch (ConstraintViolationException e2) {
                }
            }
        }
        try {
            findPolicyNode.setProperty("test", "anyvalue");
            fail("rep:policy node must be protected.");
        } catch (ConstraintViolationException e3) {
        }
        try {
            findPolicyNode.addNode("test", "rep:ACE");
            fail("rep:policy node must be protected.");
        } catch (ConstraintViolationException e4) {
        }
    }

    private static Node findPolicyNode(Node node) throws RepositoryException {
        Node node2 = null;
        if (node.isNodeType("rep:Policy")) {
            node2 = node;
        }
        NodeIterator nodes = node.getNodes();
        while (nodes.hasNext() && node2 == null) {
            Node nextNode = nodes.nextNode();
            if (!"jcr:system".equals(nextNode.getName())) {
                node2 = findPolicyNode(nextNode);
            }
        }
        return node2;
    }

    @Test
    public void testReorderPolicyNode() throws Exception {
        Node node = this.testSession.getNode(this.path);
        if (!node.getPrimaryNodeType().hasOrderableChildNodes()) {
            throw new NotExecutableException("Reordering child nodes is not supported..");
        }
        node.orderBefore(Text.getName(this.childNPath2), Text.getName(this.childNPath));
        this.testSession.save();
        fail("test session must not be allowed to reorder nodes.");
        allow(this.path, privilegesFromNames(new String[]{"{http://www.jcp.org/jcr/1.0}all"}));
        node.orderBefore(Text.getName(this.childNPath2), Text.getName(this.childNPath));
        this.testSession.save();
        node.orderBefore("rep:policy", Text.getName(this.childNPath2));
        this.testSession.save();
    }

    @Test
    public void testRemoveMixin() throws Exception {
        Node node = this.superuser.getNode(this.path);
        deny(this.path, this.readPrivileges);
        assertTrue(node.hasNode("rep:policy"));
        assertTrue(node.isNodeType("rep:AccessControllable"));
        node.removeMixin("rep:AccessControllable");
        this.superuser.save();
        assertFalse(node.hasNode("rep:policy"));
        assertFalse(node.isNodeType("rep:AccessControllable"));
    }
}
